General Data Protection Regulation FAQs

The General Data Protection Regulation (GDPR) is a new piece of legislation that has replaced the Data Protection Act 1998. The GDPR became enforceable law on 25 May 2018 and will enhance and strengthen individual rights, increase compliance obligations and expand investigative and enforcement powers for The Information Commissioner’s Office (ICO).

It impacts how companies collect, store and use customers personal data as well as the controls and governance around these activities. The principles of data protection remain broadly similar to the previous legislation, but place more focus on organisational accountability. For full details of the GDPR, please visit the Information Commissioner’s Office (ICO) website.

“any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Personal data includes items such as:

Personal details

Family and lifestyle details

Education and training

Medical details

Employment details

Financial details

Contractual details (for example, good and services provided to a data subject)

There is also a subset of personal data known as ‘special category data’. This is personal data which is deemed as more sensitive under the GDPR and so requires greater safety measures to ensure its protection.

Examples of special category data include:

Racial or ethnic origin

Political opinion

Religious beliefs or other beliefs of a similar nature

Trade Union membership

Physical or mental health or condition

Sexual life

Biometrics

There are separate safeguards for personal data relating to criminal convictions and offences. For more information on this, please visit the Information Commissioner’s Office (ICO) website.

Nationwide regularly reviews its Terms and Conditions and will continue to monitor and make changes where it sees fit. We’re not looking to make explicit changes to our contracts with members. We have however updated our Fair Processing Notice to bring it in line with the demands of the regulation and improve its usability.

“Data subject means an individual who is the subject of personal data.”;

“Data controller means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.”;

“Data processor, in relation to personal data, means any personal (other than an employee of the data controller) who processes the data on behalf of the data controller.”

For more information on this, please visit the Information Commissioner’s Office (ICO) website.

The intermediary is acting as an independent Data Controller in respect of the personal data that they capture and process as part of their advice activities. This is to the extent that the inputting of data into Nationwide’s systems on the selection of a Nationwide product by a customer amounts to “processing”. This is on a Data Controller to Data Controller basis. This is because neither party is processing personal data for the other. Instead each is determining the purpose of the processing of that data (i.e. to introduce the business and obtain a procuration fee and the servicing of those customers).

Where the intermediary passes data over to Nationwide and Nationwide is considering whether to lend to a customer, Nationwide and the intermediary are acting as a Data Controller. This is because Nationwide is processing that data for its own purposes (i.e. to determine whether to lend or not – irrespective of whether this is at DIP or FMA stage). The intermediary is submitting that data to Nationwide for its own purposes and not under Nationwide’s instructions. As such the intermediary remains a Data Controller too.

We’ve updated our fair processing notices as well as our terms of business in order to comply with the GDPR. As part of the application process, you’ll be asked to ensure that your client has seen ‘How Nationwide uses your information’, and they’ve understood how their information will be used.

This website is for the use of professional mortgage intermediaries or financial advisers only. If you reproduce any information contained in this website, to be used with or to advise clients, you must ensure it follows the FCA’s advising and selling standards.